Spring Boot - modeling access control properly ?
Hi, this question is not necessarily limited to Spring(Boot). In my own projects I am always running into the problem of permissions to work with persisted data - making sure that only the correct users can read, update, etc. the data.
My data model consists of users, groups and the actual data (resources). From the security point of view, there's the principal, which is any entity that can be granted access to resources. The different types of privilege are just CRUD. roles are simply a collection of privileges that can be assigned to a principal, and the role is assigned to a specific principal for a specific resource.
Now, I am evaluating whether user can access (with a specific privilege) a given resource. The privilege is granted if any of these is true:
- the user themselves have the privilege
- a group the user is a member of has the privilege
- the user has the privilege defined in relationship with the group.
To give an example, imagine the application is for keeping notes for D&D campaigns. There's difference between regular players and game masters. Game masters want to share all maps with the group, so for each map asset, the group itself has a read access. The game master wants to keep some stuff secret, so only they have the full CRUD for their notes, but they can give access to some players to share specific tidbits. One of the players is designated as the treasurer, so through their membership in the group, they modify the inventory sheet, but others can only read it.
I then want to call it like so, using method security
@PreAuthorize("@securityService.checkPermission('READ', #id, {'User'})")
public T someMethod(...) { ... }
My question is, is this the propery way to do so? I was also looking at ACL, but from what I've read online it's not recommended as it's not "modern" and heavy and will struggle with the group model, even though it seems to be fitting my use case very well otherwise.
Is there a simple approach to what I want to do - granular access to resources? This approach also requires me to have anything I want to control acccess to to explicitly inherit from the resource.